Very briefly without having read the documentation I wrote several years ago.
The P processes are essentially sequential processes. Think a single threaded C program. The protection and relation scheme is very limited. 4 segments (think, code, stack, heap and other). These are of size 2^n and can be relocated onto a 2^n boundary. As I recall the virtual addresses are the same (apart from upper limit) for all P processes (apart from size) but can be mapped to a different physical address for each P process. There is enough mechanism that stacks can be dynamically extended (that is, the addressing scheme allows the stack segment to be extended and the instructions which alter the stack pointer (call, ajw and 1 other (?)) can be restarted after a fault. One important thing about this scheme is that the entire mapping and protection regime can be represented in four words.
The model implemented was clear and very simple. The problem David mentioned is a problem but there are others which I’ll explain when I have time - if we are talking Occam we don’t need P-processes, we can check everything. P-processes are for uncheckable (or economically uncheckable) processes. Think - I want to run a Unix program under an Occam implemented operating system.